微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。, r/ e U* t8 ~/ I2 J1 }4 |
' c/ N6 \: N/ s7 R# w
2 F8 F' V* _: ?4 b W! U' T
\api\StatusesApi.class.php
y8 o! S$ c" V. P 3 }2 G! a$ }1 h8 f
function uploadpic(){3 N! d" v; G* k4 J! i3 f& U7 \8 @( l
if( $_FILES['pic'] ){2 a# a) v n \
//执行上传操作
7 M8 v0 r& d$ d& o4 z $savePath = $this->_getSaveTempPath();# \. o2 n* u9 P# R. u1 C/ ~
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);' B! M9 g0 M8 {; _( o3 O+ V u8 N
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ p5 V% D3 f, r- A, | {4 ?$ H+ V- `6 ~" R! ^' q
$result['boolen'] = 1;; ~% p5 E# F/ _ d8 S
$result['type_data'] = 'temp/'.$filename;
4 u# D+ E5 i2 |* o/ Y' ^1 M $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;' f. N. @& q, W2 w( @' Q: ~: u
} else {1 J3 U3 B5 G6 E( d; \
$result['boolen'] = 0;6 M* X( M5 h, K* B1 S
$result['message'] = '上传失败';
1 E" n% ?* r& R5 e4 d }
% Y0 L" a+ I' C( e5 k7 j1 X3 S }else{
- D+ I' X, e6 p $result['boolen'] = 0;8 d0 L. o- f+ u) w8 l
$result['message'] = '上传失败';
. w9 F6 j4 \2 G9 K, a2 Z }
: M0 H; W: m9 _% jreturn $result;
9 {: p/ r$ W) y5 q; O, y }- r( J7 Y/ J1 K& K1 a
unloadpic()方法没有对文件类型进行验证
+ M: ~% _& g# v$ T! F
, P6 X# c. d g; \, F }! k可以构建表单, 选择任意文件, 提交到
1 C% S8 ^5 A- B0 t/index.php?app=w3g&mod=Index&act=doPost
7 S% G" \ O( p% v, {* _
/ \. U3 h( c" y, v( U在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)7 j+ |9 G9 ]8 p
: p" p3 Y G5 O6 w: W: f
" u+ J, @# |4 i/ Y
在登录thinksns官方微博后,6 ? w4 b" k, j, C7 O
构建以下表单:
2 C6 F2 T7 v6 I# [, e- Q " X# m1 e! |; x& o( \( c8 F" S
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
& L3 {& b# U4 R8 d<textarea name="content">test</textarea> r# k! D7 u) x7 t$ \0 F
file: <input id="file" type="file" name="pic" />
1 z# a* S9 b) d* N- P) k<input type="submit" value="Post" />: K1 P% O" L. z- ]" @7 X
</form>
; u* L. f2 i" n去掉缩略图的前缀(small_ )
, K; H1 [; a! H, i! ~修复方案:; X4 i, L3 w Z8 Z
( l' Q! u% D2 C. Q* T2 W5 O
# W1 b" S& \/ Q1 m1 K, h" @: D% r
\api\StatusesApi.class.php
5 N) W" M h! o" x; _6 P0 G9 A4 y 5 e9 N5 l7 X% d
function uploadpic(){
/ M5 t* c9 }: M' B8 E /**
: h! E, j7 [; Z& u * 20121018 @yelo
( }! @0 @+ q( @- Y) ~ * 增加上传类型验证
9 p3 ^" a/ Z% w7 K */
- y3 L' @& T0 h9 e( W $pathinfo = pathinfo($_FILES['pic']['name']);
. P' N. s4 Y/ _2 q( l( F $ext = $pathinfo['extension'];
# N7 l" V' E% _2 k% [6 k1 R/ C0 Z- s $allowExts = array('jpg', 'png', 'gif', 'jpeg');
6 `) b6 _, N8 @5 B6 m3 {
i; M1 E7 E7 M* t6 z $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);3 M& G$ m Q# v5 D3 W
& D! K$ _) D( `0 w4 \# D6 x4 B
if( $uploadCondition ){
; w) v& a% D+ J1 V) T //执行上传操作
! z6 t9 D% [- g+ M2 h9 t# h, Z $savePath = $this->_getSaveTempPath();$ v% W; X( Z* N+ J
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);, `' x: x1 g! @8 u1 ^. V
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))& u7 {1 e" O( ]
{& Z% ]! M* e' T6 S; F
$result['boolen'] = 1;' h* C% v0 E3 n& U! i0 B I
$result['type_data'] = 'temp/'.$filename;
/ u0 z- k- m- I $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
( {7 }3 K5 `$ C+ y } else {
7 k# D9 L2 V( @6 G- i $result['boolen'] = 0; k* }4 R+ S+ U
$result['message'] = '上传失败';" K9 n+ T9 ] W8 z
} t/ I$ s0 h) L8 @2 t4 `
}else{
~) U4 @! E9 L( w$ R $result['boolen'] = 0;
1 f9 K @; g6 N9 _% ^$ Q) A6 s $result['message'] = '上传失败';
- L s+ F6 I _5 T8 w! L1 x( e; p4 l }( ~$ S& I3 Z& i
return $result;
4 i7 m. O6 {: i5 t; a$ r3 E% V0 B }" @! _% ]( b7 c1 h* a$ E1 ~, W
7 I0 r+ u7 S+ p2 e! b% Y/ R% P' B b8 L4 h( B
|
发表于 2012-12-4 11:12:30
收藏
支持
反对